Adequately understanding the higher-risk areas of your organization is paramount to ensuring that your control environment is effective. Organizations know what to do to conduct their business, but not necessarily how the associated activities might introduce or elevate risk within their organizations. Providing a means to identify, explore, and mitigate risk to the organization can greatly increase the opportunity for achievement of the organization’s goals and objectives. One such means is having a Control Self-Assessment (CSA) conducted.
CSA is a workshop approach of gathering and validating information about risk to an organization with an overarching goal of optimizing the opportunity for an organization to achieve its goals and objectives. The Institute of Internal Auditors’ A Perspective on Control Self-Assessment defines four methodologies for conducting CSAs: objective-based (focus on accomplishing defined objectives), risk-based (identifies barriers from meeting the objectives), control-based (focuses on the effectiveness of controls), or process-based (focuses on the achievement of specific activities in the process).
A CSA is led by a facilitator who, in preparation of the CSA, solicits and compiles critical information about the organization in order to strictly define the scope of the CSA. The facilitator conducts direct inquiries, reviews management reports, and performs surveys to capture needed data. The survey approach enables a larger number of stakeholders to have direct input into the process.
After the preliminary information is compiled, the CSA will schedule a facilitated workshop with select key stakeholders (senior management, process owners, board members, etc.). The workshop requires the shareholders to come together and collectively respond to the facilitator’s questions drawn from the information previously gathered and explore outcomes of the responses to arrive at consensus and action plans. The facilitator validates the outcomes continuously throughout the exercise with the participants to ensure reliable results.
Although facilitated sessions provide the opportunity for everyone to provide input, outcomes are driven based on majority vote in the process. Input is captured through electronic or manual voting and the results of the workshop are compiled for presentation back to the stakeholder and can be a valuable tool in strategic planning and risk mitigation.
The success of CSA is contingent on many factors. An organization could benefit most from CSA when there is enterprise-wide knowledge of the organizational mission and an understanding of policies, procedures, risks and control practices. CSA approaches vary, and the parties that conduct the facilitation come from varying backgrounds. Many facilitators receive certification in Control Self-Assessment through The Institute of Internal Auditors certification program. The certification demonstrates that the facilitator has the skills needed to effectively design and conduct a CSA.
This article touches just the surface of CSA. If you would like to consider CSA as a part of your organization’s overall risk management process, Schneider Downs can help. Please access our website to learn more about our firm’s Internal Audit and Risk Advisory Services practice.
© 2012 Schneider Downs. All rights reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.
This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax-related matter.